News and my experience working with GNU/Linux and open source softwares.

Sunday, April 9, 2006

Gunning for Linux The free operating system--backed by IBM, HP, and others-- is breaking Microsoft's monopoly.

...but a lawsuit by SCO, which claims to own parts of the code, could wreck the party.

old news but nice to read.

By Roger Parloff

May 17, 2004

(FORTUNE Magazine) – In the ascetic waiting room of the SCO Group's Lindon, Utah, headquarters, the only reading matter is a stack of beige, telephone-book-sized binders. They are volumes I, II, III, and IV of the company's press clippings. For the previous month. SCO (pronounced "skoe," to rhyme with "snow") is already notorious in three insular communities. The first to appreciate its significance were countercultural software developers, at least a few of whom would like to transform society by reordering our approach to the protection of intellectual property. Next to catch on were the pragmatic information technology officers and risk-averse in-house lawyers who work for every company this magazine writes about. Now the ripple effects are about to touch the rest of us, and we need to know about SCO too.

SCO became infamous in March 2003, when it sued IBM alleging that the IT giant had improperly dumped parts of SCO's confidential, enterprise-grade, proprietary software code, called Unix, into Linux. Linux (rhymes with "cynics") is a "free" or open-source operating system that can be downloaded off the Internet for no charge. Such software is called free not because of its price (there is no prohibition on charging for it, though most people don't) but rather because its source code--the specialized language in which it is written--is kept open to public view, enabling developers to freely comprehend it, modify it, debug it, customize it, and distribute it. With proprietary software, like Microsoft Windows, developers can typically do none of those things, because of both legal prohibitions and technological barriers.

Though Linux began as a hobby of sorts among software developers, in recent years IBM, Hewlett-Packard, NEC, Intel, Computer Associates, Fujitsu, Hitachi, and others have come to see enormous commercial potential in it. These companies believe they can make money indirectly off Linux by selling hardware loaded with it, proprietary software that runs on top of it, or support services that maintain and optimize it. Such companies, led by IBM, have already invested more than $1 billion in upgrading Linux for general business, data-center, and telecommunications purposes.

For some, the bet is paying off. IBM reported more than $2 billion in Linux-related revenues last year, a gain of 50% over the previous year. Though it is still rare to see Linux running on desktop computers in American offices, it is now commonplace on network servers at FORTUNE 1,000 companies, universities, and government agencies. It accounted for 23.5% of the market for new server software shipments in 2002, running a very respectable second to Microsoft's 55%, according to market research firm IDC. (Unix was third, with 11%.) Many corporate CTOs and CIOs consider Linux more reliable, flexible, and transparent, not to mention cheaper, than proprietary alternatives. In addition, millions of consumer electronics devices--cellphones, PDAs, TiVos, and DVD players--are already running on stripped-down, "embedded" versions of Linux. Linux is even gaining in the desktop environment, where IDC estimates that shipments are increasing yearly at a 25% rate.

Because of Linux's increasingly important role, the SCO suit swiftly escalated from an arcane two-party licensing dispute into a whirlpool of litigation engulfing a widening circle of companies. The dispute stemmed from SCO's 2001 acquisition of Unix, an operating system developed by AT&T in the late 1960s for use on mainframes and minicomputers. Included in the purchase were some 30,000 licensing contracts that AT&T had entered into with about 6,000 universities, government agencies, and businesses, including IBM.

SCO's acquisition of Unix soon had repercussions for all Linux users, even those who had never licensed Unix. Linux had been designed to share some programming principles with Unix, so that developers who felt at home in the Unix environment could easily adapt. In May 2003, SCO announced that it had discovered other fragments of alleged Unix code in Linux--quite apart from anything IBM may have put there. It sent letters to every FORTUNE 1,000 and FORTUNE Global 500 company warning that end users of Linux were violating its copyrights. SCO demanded $699 per single-processor server running Linux to license whatever Unix code might be floating around inside.

Next, network software distributor Novell jumped into the vortex. Novell was then turning its business model inside out to embrace Linux--a decision for which it would be rewarded with a $50 million investment by IBM in November. In late May 2003, Novell announced that it actually owned all the crucial Unix rights that SCO had been asserting against IBM and Linux end users. Novell cited provisions of an impenetrably confusing 1995 contract in which Novell had sold certain Unix rights, while retaining others, to the company from which SCO had later acquired its Unix rights. In January, SCO sued Novell for "slandering its title" to the Unix assets.

Finally, this March, SCO sued two Linux end users, AutoZone and DaimlerChrysler, in state courts in Nevada and Michigan, forcing even the sleepiest of corporate counsels to take notice. Every business that had either switched to Linux or was contemplating doing so--and it was a rare company that didn't fall into one or the other category--now had to worry about becoming the next AutoZone. Some discovered that they were at least theoretically exposed to even worse doomsday scenarios. Suppose your company had shipped ten million cellphones, for example, and it later turned out that each one contained five lines of stray Unix gobbledygook mixed up among a million lines of embedded Linux gobbledygook. Could a court really order your company to recall all ten million devices just to tear out and rewrite a few lines of offending techno-gibberish? Answer: yes.

Yet all this tumult still doesn't fully account for the towering stack of press clippings on the SCO waiting room's end table. The religious fervor of the backlash against SCO's suits reveals that this is no plain-vanilla licensing dispute. (One whole volume of January clippings was devoted to the MyDoom worm, which had primed infected computers worldwide to stage a crippling denial-of-service attack on SCO's website.) SCO's suits happen to be imperiling a movement. That movement teaches that software should be a public utility, not a product, and that free software is just one illustration of how a radically different, more communal approach to intellectual property will better serve the advancement of knowledge, innovation, and creativity.

Readers need not buy into the grander vision, however, to agree that what's at stake in the lawsuits is much bigger than SCO or even IBM. Even the stodgiest greed-is-good capitalist cannot deny that the loose-knit band of free-software enthusiasts has already succeeded where the U.S. Department of Justice and the European Commission have failed. These developers are right now, before our eyes, curbing the Microsoft Windows monopoly. They have created a genuine competitor to Windows--one that, because of its nonproprietary nature and diffuse authorship, Microsoft can neither acquire nor suppress. Explains Eben Moglen, a Columbia Law School professor and the chief lawyer for the Free Software Foundation: "The technical and business transactions which Microsoft has employed in the past to protect its franchise against commoditization have met a successful, irreversible commoditization movement. And the largest and best-funded competitor in the information technology industry"--IBM--"has figured out how to benefit from it."

Yet the source of Linux's strength in the market--that diffuse, communal authorship--is also its soft underbelly in the courtroom. Because it is continually cobbled together from informal contributions by thousands of developers scattered across the globe, there is no assurance that its many co-authors are all scrupulously donating only fragments that they have written themselves, as opposed to, for instance, lifting or paraphrasing--even unwittingly--from copyrighted or patented code.

Even beyond questions of tainted pedigree, Linux is a morass of law-school exam questions waiting to be administered. In copyright terms, no one knows just what manner of beast it is. Is it a work of "joint authorship"? A "compilation"? A perpetually expanding series of "derivative works"? Without knowing the answers to those questions, lawyers can't pinpoint precisely who owns either the whole of Linux or any of its fragments. Lawyers don't even know what country's law should apply when trying to untangle any of those questions.

The SCO suits are in this sense more important for the structural vulnerability in Linux that they have exposed than for the specifics of the wrongdoing they assert. Those who hope to use open-source code in the commercial world will have to learn to protect such works--and themselves--from courtroom assault. They need to start today.

Surprisingly enough, the man who founded the whole free-software movement--the playful, eccentric, now-51-year-old Richard Stallman--saw the problem coming and tried to head it off. In the early 1980s the MIT Artificial Intelligence Lab where Stallman worked installed a new, updated mainframe computer. It was a traumatic event for Stallman, for reasons he has described in his book of essays, Free Software, Free Society. For more than a decade Stallman and his colleagues had been writing and improving the software that had run on the predecessor machine. When the new computer arrived, all their work went up in smoke. The new machine came with its own proprietary operating system, whose source code was a carefully guarded trade secret. To his horror Stallman learned that he and his community of developers would no longer be permitted to tinker with it.

This approach was worse than infantilizing, in Stallman's view. It was "antisocial," "unethical," and "simply wrong." Stallman decided to devise his own operating system, whose source code would be free and open for all to examine and critique and modify. He would call it GNU, which stood for "GNU's Not Unix." (It's pronounced with a hard "g," and rhymes with "canoe.")

Stallman's GNU project produced many of the higher-level functions of an operating system, but as the 1990s dawned he had still not yet gotten down to the "kernel" --the lower-level functions that interact most directly with the hardware. Serendipitously, in 1991 a 19-year-old Finnish college student named Linus (pronounced "LEE-nus") Torvalds independently began composing his own operating system. Unlike Stallman, Torvalds began at the lowest levels. ("Lowest" in this culture is not pejorative but laudatory. The closer a developer gets to the machine, the greater the respect to which he or she is entitled.)

Torvalds posted his work-in-progress on the Internet, inviting comment. To his surprise, his posting garnered considerable interest, as well as insightful suggestions from sophisticated developers around the world. From that point forward the project proceeded quickly and communally, with Torvalds or his delegates making the final determinations about which suggestions to incorporate. Many open-source enthusiasts believe that this communal approach intrinsically results in more reliable, bug-free software than proprietary code.

Eventually Stallman's upper-level GNU functions were placed on top of Torvalds's kernel, and the operating system was complete. The whole is now typically referred to as Linux.

But there was a crucial legal difference between the portion of the project led by Stallman and that led by Torvalds. The difference stems from Stallman's rather fanatical notion of "free"--which extends beyond the conventional notion of merely allowing people to do what they want. Stallman foresaw that some people might want to take free software, modify it, and claim the modifications as their own property. He did not want that to happen. To him it was fundamental that if he was going to let others see and play with what he had created, the others had to reciprocate. He embodied this peculiarly controlling notion of freedom in an unusual license he wrote himself, known as the General Public License (GPL).

Stallman's controlling view of freedom extends to press freedom, which is why he is not directly quoted in this article. As a precondition to being interviewed, Stallman insists that reporters agree to certain usage rules regarding the phrase "free software"--he abhors the more popular term "open source"--and that they pledge to refer to Linux in their stories as GNU/Linux--a name that, he feels, better acknowledges his own contributions to it. FORTUNE declined.

In a nutshell, the GPL allows users of GNU software to copy, modify, and distribute it as long as they permit others to do the same with the modifications they make. It's a little like a reverse copyright. A friend of Stallman's famously called the GPL "copyleft--all rights reversed."

Many people have mistakenly assumed that the free-software movement is at odds with copyright law. On the contrary, it depends upon it. The GPL is not a conventional contract, and its enforceability, most lawyers believe, hinges on copyright laws (see box). Stallman was therefore scrupulous about keeping his copyrights in good order. In 1984, for instance, he quit MIT to ensure that the university could not claim ownership of the software he wrote under the so-called work-for-hire doctrine that governs many employer-employee relationships. He also required that any contributor to the GNU project formally assign his or her copyrights to the Free Software Foundation in a pen-and-paper document, and likewise provide a signed acknowledgment from his or her own employer waiving any possible work-for-hire claims. He further insisted that contributors indemnify the Free Software Foundation if it later turned out that their contributions were not their own and therefore infringed someone else's copyright.

Although Torvalds elected to use Stallman's GPL license to cover the Linux kernel, he never instituted any of Stallman's scrupulous methods of ensuring that copyrights were assigned to a central entity, nor did he try to police contributors to ensure that they weren't donating code that didn't belong to them. Torvalds was just a college kid, after all, pursuing a then-noncommercial labor of love. In any event, why would a Finn, collaborating with quasi-anonymous e-mailers from Germany, Sweden, Mexico, or places literally unknown, break his back to comply with U.S. copyright law?

Nevertheless, the consequence today of Torvalds's understandable omission is that the kernel at the heart of Linux--upon which companies like IBM are now staking their futures and challenging the Microsoft behemoth--is legally radioactive.

The much-loathed would-be Linux slayer we know today as SCO has its roots in a secret, visionary unit of Novell that was set up in the early 1990s to--of all things--develop a commercial-grade version of Linux. In 1994, Novell dumped the project, and the unit's leaders left to form their own company, Caldera. In March 2000, Caldera went public. At that point, then-CEO Ransom Love recalls, Linux had progressed to the stage where it was well suited for the branch offices of a national business--like, say, an AutoZone outlet--though such businesses might still need to run Unix at their headquarters. Love thought that if he could acquire the rights to Unix, he could better meet customers' needs and meld Unix and Linux into a single environment.

Caldera had another motive for acquiring Unix, Love adds--one that is ironic in light of how events would play out. Love understood that Linux's potential Achilles' heel was its mongrel intellectual-property pedigree. "If Microsoft was ever going to attack," Love says, "they would do it through fear and uncertainty and doubt around the intellectual-property issue." Love also knew that, given Linux's provenance, the most likely source of illicit contributions into Linux was Unix. "By purchasing Unix, we felt like we could actually provide indemnification" to Linux end users--i.e., pledges to protect them from potential copyright suits by people claiming to own fragments of Linux.

AT&T had created Unix in 1969 as a unifying operating system that would run on a wide variety of hardware. It licensed Unix to different customers on different terms. Universities were often allowed to see and modify the source code as long as they did not use it for commercial purposes. Commercial licensees received the code on more restrictive terms.

Many hardware manufacturers--including IBM, Silicon Graphics, Hewlett-Packard, and Sun Microsystems--were allowed to see and modify the source code and then redistribute the software (but not its source code) preloaded on their hardware. In exchange, they paid royalties on the redistributed code and promised to keep confidential the source code for both Unix and their "derivative" works. Over time, many manufacturers developed their own "flavors" of Unix--Sun's was Solaris, for instance, while IBM's was AIX--as did some universities. All these variants cross-pollinated over the years. For this reason, identifying the correct copyright holder of any one stretch of code in any one flavor of Unix--and the precise terms under which that copyright holder originally licensed it--can be a daunting challenge. The best genealogy of Unix is illustrated in a comically unfathomable chart provided by French software historian Eric Levenez on his website at www.levenez.com. That family tree prints out across 17 eight-by 11-inch pages. (See excerpt at right.)

Novell bought the Unix business from AT&T in 1993, but then, after a management change, sold most of the Unix assets to a small company called Santa Cruz Operation in 1995. In May 2001, Caldera's Love bought those Unix assets from Santa Cruz. He bought the Santa Cruz name too, announcing that Caldera would become the SCO Group in summer 2002.

Meanwhile, the tech economy was falling apart, throwing the company into turmoil. In addition, in 2001 IBM suddenly withdrew from a joint venture with Santa Cruz--known as Project Monterey--that Caldera had banked on as an important revenue source.

In June 2002, Love was replaced as CEO by Darl McBride, a former Novell executive who had been selected because of his expertise in marketing through a reselling channel. McBride had opened Novell's Japan operation in 1990--he speaks fluent Japanese, which he learned on a Mormon mission during college--and had taken that unit to $150 million in revenues in about three years.

McBride is a blunt, unnuanced man with a fireplug build. (He lettered in four sports in high school.) He is old school, and not easily swept up by visionary rhetoric. And he is not one to back down from a fight. About a week after he joined SCO, some IBM officials came to visit him, he says. "They were out here talking about how important this Linux thing is. I was talking about, well, Linux is interesting, but we have this other thing called Unix, which is where we make all of our money. They came back very strongly with, 'The operating system must be free.' Okay, that's their game plan, fine. But what they're trying to do is impose that standard on the world."

While McBride was figuring out what to do with the company, customers began approaching him with a proposition. Users of SCO's Unix systems that were switching to Linux had discovered that their old Unix applications would run seamlessly on Linux if they merely copied certain critical SCO Unix files--known as run-time libraries--into Linux. Aware that such copying might violate their licenses with SCO, these customers wanted SCO to license them just those files. At the same time, SCO learned that other, less prudent customers were copying those libraries without asking permission. McBride decided to set up a division, SCOsource, to license the libraries to Linux users and--um, er--to remind others of their obligations when it came to copying SCO's Unix-related intellectual property.

McBride started bouncing this idea off "big time" players and business partners, he recalls, like Oracle, HP, and Red Hat. "The reactions were neutral to positive," McBride claims. "Except in IBM's case. Which was a violent reaction. Their response back to me was very simple: We cannot let customers even have an inkling that there might be intellectual-property problems inside of Linux. For any reason."

With tension between SCO and IBM rising--IBM's withdrawal from Project Monterey was still a simmering issue--SCO announced the launch of the licensing unit at a LinuxWorld conference in January 2003. It also signed up the most credentialed litigator in America, David Boies, as the unit's enforcer. At the same conference Steve Mills, the head of IBM's software group, unwittingly exacerbated tensions in his exuberant keynote. According to one news account, Mills stated that while Linux lagged behind Unix at the moment, IBM would exploit its expertise with AIX to bring it up to speed. "The pathway to get there is an eight-lane highway," he reportedly said. Asked whether Linux would eventually replace AIX--IBM's flavor of Unix--Mills implied that it would. A few minutes later Dell's CIO, Ron Mott, displayed a slide to the same audience and read aloud its conclusion: "Unix is dead."

In this and earlier public statements, IBM implied that it was grafting sophisticated code from AIX onto Linux to accelerate Linux's commercial upgrade. McBride believed IBM couldn't do that, since all AIX code constituted, in his view, a Unix "derivative" whose source code IBM had to keep secret under its licenses.

In March 2003, SCO sued IBM, and--as Moglen aptly analogizes--it was as if Gavrilo Princip had assassinated the Archduke Franz Ferdinand.

The Linux community was naturally skeptical about SCO's claims and became more so when SCO initially refused to say precisely which segments of Linux code it was claiming title to. Since Linux developers were offering to rip out and replace anything that might infringe, it appeared to SCO's critics that SCO was more interested in gouging Linux users than in protecting Unix code. (SCO maintained that it could not publicly identify any filched source code without waiving the very confidentiality rights that it was trying to protect and enforce.)

There were other reasons to be suspicious of SCO's good faith. SCO's stock price rose sharply in the wake of the suits' announcement--from $1.09 in mid-February to $20.50 in October--and some officers and directors were regularly selling chunks of stock. Though McBride was not among them, he did receive almost $1 million in cash compensation in 2003--an extraordinary sum for the CEO of a microcap.

In addition, very shortly after filing the IBM suit, SCO corralled $25.8 million in what were characterized as licensing agreements with Microsoft and Sun. They were widely interpreted as efforts by Microsoft and Sun to bankroll the legal assault upon Linux.

The bounty-hunting terms of SCO's retainer agreement with Boies are yet another cause for raised eyebrows. Boies's firm and the others working with him are billing SCO at discounted hourly rates, but in return they stand to receive 20% of any judgments or settlements that result. What's unusual, though, is that the contracts specify that if SCO is acquired during the litigation--imagine, say, IBM buying SCO to make it go away --SCO's lawyers will take 20% of the company's sale price. The lawyers even receive 20% of any financings SCO receives during the litigation. For instance, when SCO got a $50 million private placement in October 2003, SCO's law firms immediately banked more than $8.9 million, including $1 million cash. One of the law firms working with Boies's 178-lawyer firm on the case and, therefore, sharing in the booty, is Los Angeles solo practitioner Kevin McBride--CEO McBride's brother. How does Boies's firm split the money with Kevin McBride and the others? The "lion's share" goes to the Boies firm, Kevin McBride says.

We've reached the point in the narrative where some brute legal analysis can no longer be postponed. We'll make it brief. The challenge in writing about the SCO suits--and inevitably fattening SCO's next volume of press clippings--is that even the most skeptical account tends to advance SCO's cause. Fear of lawsuits, even meritless ones, can spur companies to shy away from switching to Linux or to pay SCO the toll it seeks. This is the power of sowing FUD--fear, uncertainty, and doubt--which is a strategy of long standing in the computer industry. Certainly there are reasons to be skeptical of SCO's legal claims. Though SCO's key original claim against IBM was dramatic and easy to empathize with--the claim that IBM dumped Unix code into Linux--it has subsequently become clear through courtroom give-and-take that SCO's claim is actually more attenuated. The crux, as McBride concedes in an interview, is really that IBM dumped into Linux AIX code that IBM wrote itself but that SCO says is "derivative" of Unix and therefore covered by the confidentiality provisions of IBM's original license with AT&T. It's not a preposterous reading of the license, but it's an aggressive one.

By far the greatest potential obstacle for SCO is the astoundingly confusing September 1995 sales contract whereby Novell transferred some but not all of its Unix rights to Santa Cruz, and thence to SCO. If Novell's reading of that contract turns out to be right--i.e., that Novell retains control of all the crucial rights SCO is now asserting--SCO's whole post-McBride business model is annihilated.

SCO insists that the 1995 deal was exactly what the outside world then thought it was--a sale by Novell to Santa Cruz of Novell's "Unix business" and "Unix intellectual property," as the companies' joint press release described it at the time. Nevertheless--and at least in part because the smallish Santa Cruz could not have afforded the Unix business otherwise--the actual contract specifies that Novell is to continue to receive 95% of the royalty income from the existing Unix licenses, and that it retains veto power over the enforcement of those licenses. (The contract anticipates that Santa Cruz would eventually release a next-generation Unix, whose royalties would be entirely its own.) What the contract leaves unclear is whether Novell's veto power also extends to the non-royalty-yielding source-code licenses, including the one that now forms the crux of SCO's case against IBM.

The other huge question mark left by the same contract revolves around the Unix copyrights, which are SCO's sole basis for demanding licenses from Linux end users. Notwithstanding the claims of the press release heralding the deal, a critical appendix to the contract states that "all copyrights" are excluded from the sale. SCO claims that this was a typo--a whopping typo, to be sure--that was corrected in an amendment a year later. But the amendment itself is confusing and vague.

The one advantage SCO might have in this absolutely critical dispute with Novell is that McBride was present when the sales contract was being negotiated--though he happened to be on the Novell side of the table back then. By contrast, none of Novell's current top management were. "I was in the staff meetings," McBride protests. "We [at Novell] were selling Unix. We were exiting the business. I've gone back and talked to all of those guys. We have statements from them. We know what they're going to say as this goes through." (The two signatories to the contract declined to comment.)

As if those issues aren't knotty enough, SCO is also inviting Linux end users into a litigation tar pit when it comes to its claims about the Unix fragments in Linux. Many of the files SCO alleges are infringing are "header" files, containing names, data, and other information that many copyright specialists doubt are copyrightable at all. In addition, SCO is complaining not just about verbatim copying but also about the purloining of its code's "structure, sequence, and/or organization"--another notion that probes the outer reaches of what is copyrightable. The last time the U.S. Supreme Court grappled with such questions was in 1996, in a would-be landmark dispute in which the justices wrestled themselves to a 4-4 draw. In sum, even if SCO is bluffing, it will be an exceedingly expensive bluff to call.

It's not about SCO. It's not about SCO. It's not about SCO." Daniel Egger, a lawyer, software developer, and venture capitalist, has pored over SCO's legal claims and found them wanting. What Egger does believe, however, is that the SCO suits have exposed a "structural" problem with open-source software that has staying power. In fact, Egger believes that so strongly that he has joined the growing ranks of entrepreneurs who now offer consulting services and proprietary software to help commercial users of open source minimize their legal risks.

Other business lawyers share Egger's view that there is a structural problem. Though copyright suits like SCO's get most of the press, attorney Irwin Gross remarks, patent suits are an even greater threat. "There's a lot of roadkill out here," he says, referring to all the Silicon Valley startups that failed and whose only remaining assets are their patents. "There's a lot of patent applications floating around in the hands of people who don't have an interest in anything other than asserting them."

Though Hewlett-Packard, Novell, and others have begun offering "indemnification" to their open-source customers, the guarantees are comforting only until you read the fine print, according to Egger. The protections typically vanish if the customer modifies the software--the raison d'etre of open source--while some apply only to suits by SCO, others have liability caps, and on it goes.

Although proprietary software is also vulnerable to copyright or patent claims, its end users have some assurance that their vendors will go to bat for them if there should be a problem--if not because of indemnification contracts, then just as a matter of business self-interest. Until now, open-source end users have had no analogous "sugar daddy" to turn to, as Gross puts it.

Egger hopes his startup, Open Source Risk Management, will serve such a role. In time he aims to sell open-source insurance policies. In the shorter term, three Linux promoters--IBM, Intel, and MontaVista Software--have already ponied up $3 million to seed a legal defense fund for Linux end users sued by SCO.

The gathering array of alliances and opportunistic businesses rallying to the legal rescue of open-source suggests that as long as corporate behemoths like IBM and HP see a stake in making open source survive, it will. "If SCO shows anything," says Gross, "it shows the phenomenon of how many big players are now inextricably intertwined with Linux. And it shows how reviled you're going to be if you pursue the Linux community."